1 / 118

Chapter 9

Chapter 9. Building IPSEC VPNS Using Cisco Routers. Objectives. Objectives. Upon completion of this chapter, you will be able to perform the following tasks: Define two types Cisco router VPN solutions. Describe the Cisco VPN router product family.

aerona
Download Presentation

Chapter 9

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 9 Building IPSEC VPNS Using Cisco Routers

  2. Objectives

  3. Objectives • Upon completion of this chapter, you will be able to perform the following tasks: • Define two types Cisco router VPN solutions. • Describe the Cisco VPN router product family. • Identify the IPSec and other open standards supported by Cisco VPN routers. • Identify the component technologies of IPSec. • Explain how IPSec works.

  4. Objectives (cont.) • Configure a Cisco router for IKE using pre-shared keys. • Configure a Cisco router for IPSec using pre-shared keys. • Verify the IKE and IPSec configuration. • Explain the issues regarding configuring IPSec manually and using RSA encrypted nonces.

  5. Cisco Routers Enable Secure VPNs

  6. VPN Definition Mobile user • VPN—An encrypted connection between private networks over a public network such as the Internet Central site Remote site Analog ISDN Cable DSL Server Remote site Internet

  7. Remote access VPN—Extension/evolution of dial Internet POP POP Remote Access VPNs Central site Remote access client DSL cable Telecommuter Router Mobile Extranet Consumer-to-business

  8. Site-to-Site VPNs Remote office 1700/2600 Series Main office 7100/7200/7400 Series Regional office 3600/3700 Series Internet Small office/ home office 800/900 Series

  9. Cisco VPN Router Portfolio Cisco 3745 Cisco 3725 Cisco 3600 Cisco 2600XM/2691 Cisco 1760 Cisco 1700 Cisco 800 Teleworker/SOHO SMB/Small Branch Enterprise Branch Large Branch Enterprise HQ And Beyond

  10. Cisco VPN Router Portfolio—Large Enterprise Cat 6500 Cisco 7200/400 Cisco 7400 Cisco 7204/225 Cisco 7140 Cisco 7120 Large Enterprise

  11. Small to Mid-Size—Cisco VPN Routers • Hardware accelerators deliver enhanced encryption performance

  12. CAT 7120 7140 7140 7200 7400 7200 6500 Maximum tunnels 2000 2000 3000 2000 5000 5000 8000 Performance 50 85 145 90 120 145 1.9G (Mbps) Hardware ISM ISM VAM ISA VAM VAM Yes encryption Enterprise Size—Cisco VPN Routers • Hardware accelerators deliver enhanced encryption performance

  13. IPSec Overview

  14. What Is IPSec? Main site • IPSec acts at the network layer protecting and authenticating IP packets • Framework of open standards - algorithm independent • Provides data confidentiality, data integrity, and origin authentication Business partner with a Cisco router IPSec Perimeterrouter PIXFirewall Concentrator POP Regional office with a PIX Firewall Mobile worker with a Cisco VPN Client on a laptop computer Corporate SOHO with a Cisco ISDN/DSL router

  15. IPSec Security Services • Confidentiality • Data integrity • Origin authentication • Anti-replay protection

  16. Internet Earnings off by 15% Confidentiality (Encryption) This quarterly report does not look so good. Hmmm . . . . Server

  17. Encryption algorithm Encryption algorithm Types of Encryption Hmmm . . . . I cannot read a thing. Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet

  18. DH Key Exchange Terry Alex public key B + private key A public key A + private key B shared secret key (AB) shared secret key (BA) = Key Key Protocol Messages Protocol Messages Data Traffic Data Traffic Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Decrypt Decrypt 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet

  19. DH Key Exchange Peer A Peer B 1. Generate large integer q. Send q to Peer A. Receive p. Generate g. 1. Generate large integer p. Send p to Peer B. Receive q. Generate g. 2. Generate private key XA 2. Generate private key XB 3. Generate public keyYA = g ^ XA mod p 3. Generate public keyYB = g ^ XB mod p 4. Send public key YA 4. Send public key YB 5. Generate shared secret number ZZ= YB^XAmod p 5. Generate shared secret number ZZ= YA^ XBmod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) 6. Generate shared secret key from ZZ (DES, 3DES, or AES)

  20. Decrypt Encrypt RSA Encryption Local Remote Key Key Remote’s public key Remote’s private key Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars KJklzeAidJfdlwiej47 DlItfd578MNSbXoE

  21. Key Encryption key Decrypt Encrypt Encryption Algorithms Key Decryption key • Encryption algorithms • DES • 3DES • AES • RSA Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR

  22. Data Integrity Yes, I am Alex Jones Internet Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Alex Jones $1000.00 One Thousand and xx/100 Dollars 12ehqPx67NMoX 4ehIDx67NMop9 Match = No changes No match = Alterations

  23. 4ehIDx67NMop9 1 2 HMAC Local Remote Shared secret key Received message Variable-length input message Shared secret key Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Hashfunction Hashfunction Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9 4ehIDx67NMop9 Message + hash

  24. HMAC Algorithms • HMAC algorithms • HMAC-MD5 • HMAC-SHA-1 Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Hashfunction Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9 4ehIDx67NMop9

  25. Hash algorithm Encryption algorithm Decryption algorithm Digital Signatures Remote Local Internet Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Hash 4ehIDx67NMop9 4ehIDx67NMop9 Match Hash Private key Public key Hash Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars

  26. Peer Authentication Remote office Corporate Office • Peer authentication methods: • Pre-shared keys • RSA signatures • RSA encrypted nonces Internet HR servers Peer authentication

  27. Internet Pre-Shared Keys Local Peer Remote Router Auth. Key + ID Information Auth. Key + ID Information Hash Hash Authenticating hash (Hash_L) Computed hash (Hash) = Received hash (Hash_L)

  28. Encryption algorithm Decryption algorithm RSA Signatures Remote Local Auth. key + ID Information + ID Information Auth. key Hash Hash Digital signature 2 Hash_I Private key Hash 1 = Internet Hash_I Digital cert Public key Digital cert Digital signature +

  29. RSA Encrypted Nonces Local Remote Auth. key + ID Information + ID Information Auth. key Hash Hash Internet Authenticating hash (Hash_I) Computed hash (Hash_I) = Received hash (Hash_I)

  30. IPSec Protocol Framework

  31. IPSec Security Protocols Authentication Header Router A Router B All data in clear text • The Encapsulating Security Payload provides the following: • Encryption • Authentication • Integrity The Authentication Header provides the following: • Authentication • Integrity Encapsulating Security Payload Router B Router A Data payload is encrypted

  32. Authentication Header Router B Router A All data in clear text • Ensures data integrity • Provides origin authentication (ensures packets definitely came from peer router) • Uses keyed-hash mechanism • Does not provide confidentiality (no encryption) • Provides anti-replay protection

  33. Data Data AH AH IP HDR IP HDR AH Authentication and Integrity IP header + data + key Router B Hash Authentication data (00ABCDEF) IP header + data + key Internet Hash Re-computed hash (00ABCDEF) Received hash (00ABCDEF) Router A =

  34. ESP • Data confidentiality (encryption) • Data integrity • Data origin authentication • Anti-replay protection Router B Router A Data payload is encrypted

  35. ESP Protocol • Provides confidentiality with encryption • Provides integrity with authentication Internet Router Router IP HDR Data Data IP HDR ESP Trailer ESP Auth New IP HDR ESP HDR Data IP HDR Encrypted Authenticated

  36. Modes of Use—Tunnel versus Transport Mode IP HDR Data Transport mode ESP Trailer ESP Auth IP HDR Data ESP HDR Encrypted Authenticated Tunnel mode ESP Trailer ESP Auth New IP HDR IP HDR ESP HDR Data Encrypted Authenticated

  37. Tunnel Mode Remote office Corporate office Internet HR servers Tunnel mode Corporate office Home office Internet HR servers Tunnel mode

  38. 3 DES DES SHA MD5 AES ESP DH2 DH1 IPSec Protocol—Framework IPSec Framework Choices: AH IPSec Protocol Encryption Authentication Diffie-Hellman

  39. How IPSec Works

  40. Five Steps of IPSec Host A Host B Router A Router B • Interesting Traffic—The VPN devices recognize the traffic to protect. • IKE Phase 1—The VPN devices negotiate an IKE security policy and establish a secure channel. • IKE Phase 2—The VPN devices negotiate an IPSec security policy used to protect IPSec data. • Data transfer—The VPN devices apply security services to traffic and then transmit the traffic. • Tunnel terminated—The tunnel is torn down.

  41. Step 1—Interesting Traffic Host A Host B Router A Router B 10.0.1.3 10.0.2.3 Apply IPSec Bypass IPSec Send in cleartext

  42. Step 2—IKE Phase 1 Host A Host B Router A Router B IKE Phase 1: main mode exchange 10.0.1.3 10.0.2.3 Negotiate thepolicy DH exchange Verify the peer identity Negotiate thepolicy DH exchange Verify the peer identity

  43. IKE Transform Sets Host A Host B Router A Router B • Negotiates matching IKE transform sets to protect IKE exchange Negotiate IKE Proposals 10.0.1.3 10.0.2.3 Transform 10 DES MD5 pre-share DH1 lifetime Transform 15 DES MD5 pre-share DH1 lifetime IKE Policy Sets Transform 20 3DES SHA pre-share DH1 lifetime

  44. Encrypt Decrypt DH Key Exchange Terry Alex public key B + private key A public key A + private key B shared secret key (AB) shared secret key (BA) = Key Key Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet

  45. Internet Authenticate Peer Identity Remote office Corporate office • Peer authentication methods • Pre-shared keys • RSA signatures • RSA encrypted nonces HR servers Peer authentication

  46. Step 3—IKE Phase 2 Host A Host B Router A Router B Negotiate IPSec security parameters 10.0.1.3 10.0.2.3

  47. IPSec Transform Sets Host A Host B Router A Router B Negotiate transform sets 10.0.1.3 10.0.2.3 Transform set 30 ESP 3DES SHA Tunnel Lifetime Transform set 55 ESP 3DES SHA Tunnel Lifetime IPSec Transform Sets • A transform set is a combination of algorithms and protocols that enact a security policy for traffic. Transform set 40 ESP DES MD5 Tunnel Lifetime

  48. B A N K Internet Security Associations (SA) SA SA Db • Destination IP address • SPI • Protocol (ESP or AH) Security Policy Db • Encryption Algorithm • Authentication Algorithm • Mode • Key lifetime 192.168.2.1 SPI–12 ESP/3DES/SHA tunnel 28800 192.168.12.1 SPI–39 ESP/DES/MD5 tunnel 28800

  49. SA Lifetime Time-based Data-based

  50. IPSec session Step 4—IPSec Session • SAs are exchanged between peers. • The negotiated security services are applied to the traffic. Host A Host B Router A Router B

More Related